Meraki

Community

AnyConnect VPN connection events appear constantly, even with no active users

Roey1984
Building a reputation
‎Jul 7 2025 10:58 AM
‎Jul 7 2025 10:58 AM

AnyConnect VPN connection events appear constantly, even with no active users

Hi everyone,

Since enabling Cisco AnyConnect on our MX appliance, we’ve been seeing a constant stream of these logs every few seconds, even when no one is actively connected to the VPN

Roey1984_0-1751910613737.png

 

 

See attached screenshot for reference.

According to Meraki support (ticket already opened), these events do not necessarily mean that a client has authenticated. Their explanation was:

"The log indicates that someone or some system initiated VPN handshake but it doesn't mean that the client has been authenticated.
You can read more about that log here:> [https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-VPN-connection-concerns/m-p/256097](https...)"

They suggested changing the **default secure port** from 443 to another value. The idea is that the MX will stop listening on TCP 443 for AnyConnect, which might reduce the number of handshake attempts from bots or scanners.

Has anyone tried changing the default port? Did it reduce these connection attempts?
Are there any other best practices or suggestions for reducing this noise or better securing the endpoint?

Thanks in advance!

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 7 2025 11:05 AM
‎Jul 7 2025 11:05 AM

Changing the default AnyConnect port can significantly reduce these handshake attempts, but it doesn't mean it will stop them, since you can easily find out which ports are open by running a port scan for your IP.

What I really recommend in your case is to use multifactor authentication. It won't stop anyone from trying to authenticate, but it will at least make your connection more secure.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Roey1984
Building a reputation
‎Jul 8 2025 12:02 AM
‎Jul 8 2025 12:02 AM

Thanks, @alemabrahao 😁

We’re using Okta as our IDP, so yes—we have 2FA enabled for all users.

Would you still recommend changing the port from 443 to something else, like 26581 (or any other random port)?

If so, would users need to make any changes on their end, or is it enough to update the port in the AnyConnect portal?

0 Kudos
In response to Roey1984
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 8 2025 3:43 AM
‎Jul 8 2025 3:43 AM

As I said, it can be reduced, but with a simple port scan it is possible to discover the open ports on your network, so it won't make a difference in the end.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Roey1984
Building a reputation
‎Jul 8 2025 4:07 AM
‎Jul 8 2025 4:07 AM

If that is the case, I`ll pass and keep the existing port

thank you my friend, appreciate your assistance here

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 7 2025 12:27 PM
‎Jul 7 2025 12:27 PM

This is just random people scanning your network.  Just for fun, plug your IP address into Shodan.

https://www.shodan.io/

Shodan is an example of something that will be scanning you all the time.  Of course, bad people will also be scanning you to find unpatched devices and security weaknesses.

 

I have changed the default port many times.  Also note that AnyConnect uses TCP and UDP.

0 Kudos
In response to PhilipDAth
Roey1984
Building a reputation
‎Jul 8 2025 12:04 AM
‎Jul 8 2025 12:04 AM

hmm, I understand.

I guess that port 443 is the most common port for secure traffic.

Gets me wondering how much of a difference it would make if I change the default port to something else

 

If it uses TCP  and UDP, what can I take from it? I guess UDP packets are more prone to drops?

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.